@ The PA Guy: build any box with a fresh install of Windows and it will run really fast. Especially if you have an SSD. As you probably know, pile on your favourite programs and use the machine for a few years and it will slow down - registry bloat, WU bloat, fragments of half-uninstalled stuff, etc.

It has been a regular tactic of MS, to say that their "old" product is now insecure and that the "new and improved" bleach washes clothes better than ever. "What, you mean you sold me a crappy product when you enticed me to buy windows 7" ? And they said the same thing about XP. *Yawn* While I don't doubt there have been security improvements in win10, that alone is not sufficient to justify changing; especially with the myriad ways at our disposal to secure current OS's and networks.

I absolutely hate the modern "flat look" win10 GUI (win 8.1 also, for that matter!) - ugly square windows, super white blinding backgrounds, the **ugh** ribbon that eats up screen real estate, the start menu, very few customization options. I won't rant about the multiple telemetry, ads in the taskbar, ads on the lock screen, Cortana & Edge that listen in on everything, updates and upgrades that regularly clobber all your settings & personalisation, the pushy "app store" that intrudes even on the legacy desktop, etc.

Windows 7, locked down it is, until 2020; then maybe on to windows 8.1 until 2023. In parallel, Linux Mint for online stuff & eventually all windows machines on a seperate non-internet connected LAN; or Linux machines with VM's running windows. I refuse to waste my time fighting the OS and have my person profiled and monetized.

Microsoft delayed Patch Tuesday updates for what seems to be the first time ever, but the company hasn’t provided any information on what exactly went wrong, saying instead that all updates would be released to Windows systems at a later time.

Redmond explained in a short statement that it discovered a “last-minute bug” that could have caused issues for a number of customers, so because it didn’t want to take any risks, it decided to delay the Patch Tuesday rollout completely until a fix is developed.

As far as the reasons for the delay are concerned, there’s a lot of speculation online and many people believe that it was all caused by Windows 10 cumulative updates. And it’s no wonder why users blame these updates.

Cumulative updates caused quite a lot of issues on Windows 10 systems in the past and many of them failed to installs on specific PCs, so users believe that Redmond discovered a similar bug and decided to hold back the release to fix it.

And yet, there’s a good chance that cumulative updates are not the ones to blame for this delay, but an infrastructure bug. As Shavlik’s Chris Goettl says, Microsoft’s increasing focus on cumulative updates makes it impossible for the company to pull just a single patch, as all fixes are included in a single pack, so holding back the entire rollout becomes the only option.

“Before the cumulative update model, a single patch could be pulled from the release without impacting the entire Patch Tuesday release. Now, speculation as to if this was an issue with one of the cumulative updates that caused this delay is not entirely unfounded, but thinking about this, if it were one update that was broken Microsoft could release everything else. The fact is Microsoft didn’t release anything, which sounds more like an infrastructure issue,” he says.
"Issues caused by new update model?"

Starting this month, Microsoft also planned to replace its existing update system with a new one that would no longer include single patches, and there’s a chance that this change caused the delay.

Amol Sarwate of Qualys says this makes it impossible for Microsoft to push Patch Tuesday fixes to Windows computers if it discovers a bug in just one of the updates.

“This comes on the heels of the announcement that individual patches will not be available as they will be bundled together in the monthly Security update or monthly Cumulative update. If there is a problem in the patch for one kernel vulnerability for example, then all kernel or related vulnerabilities cannot be released as they are bundled together,” he says.

At this point, there is to ETA as to when Microsoft is supposed to ship this month’s updates, but some sources claimed Microsoft was at least considering the next Tuesday. We’re guessing Microsoft could release the updates sooner if the fix is ready by Tuesday, but expect a notification to be published before the rollout begins.

Windows Vista, which is often referred to as Microsoft’s biggest flop in the operating system industry, has entered its last 2 months of support, as Redmond will pull the plug on updates and security patches on April 11 this year.

With 55 days left until Windows Vista is retired, users are recommended to move to a newer version of Windows as soon as possible, and obviously,

Microsoft’s choice is undoubtedly Windows 10. And yet, Windows 7 should be just fine for Windows Vista users, as it still gets updates until January 2020, although it’s very clear that Windows 10 is the long-term solution for everyone.

Windows Vista has already reached end of mainstream support on April 10, 2012, and on April 11, 2017, the operating system exists the extended support period, meaning that it no longer receives patches for the security vulnerabilities that Microsoft discovers. Windows 7, 8.1, and 10 will thus remain Microsoft’s only supported desktop operating systems.
"Effortless transition off Windows Vista"

Back in 2014 when Microsoft pulled the plug on Windows XP, the company really struggled to convince users to upgrade to a supported Windows version, especially because XP was still the world’s second desktop OS at that point. And nearly three years after that, XP is still running on some 9 percent of computers out there.

In the case of Windows Vista, however, there’s no such risk, mostly because this OS version has long been considered an operating system to avoid because of the problems that many people experienced after installing it.

Windows Vista is currently running on just 0.84 percent of the world’s desktops, and its biggest share in the last 12 months was 1.42 percent in April last year, according to NetMarketShare.

As a result, the demise of Windows Vista is likely to go smoothly, with the remaining users expected to migrate to supported Windows either by the time end of support is announced or shortly after that.

Microsoft has confirmed in a post that this month’s security updates would launch in March, as the February 2017 Patch Tuesday was delayed due to a last-minute bug.

Originally, Microsoft said it decided to hold back the release of new updates because of issues that it didn’t want to disclose, and although it was believed that all patches could go live next Tuesday, the firm says this is not the case.

Instead, Microsoft will release all updates on the next Patch Tuesday cycle taking place on March 14, as the company explains in an update to the original post.

“We will deliver updates as part of the planned March Update Tuesday, March 14, 2017,” the firm said today without providing any other information on what went wrong.

“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan,” Microsoft also explained in the original announcement.
"Zero-day flaw with public exploit code"

The worst thing right now is that the delay of Patch Tuesday to March 2017 means that the company won’t release a patch for the zero-day SMB vulnerability whose exploit code has already been posted online.

According to the US-CERT, the SMB security flaw is already being exploited by cybercriminals, and there is no 100 percent effective workaround, with security experts previously pointing out that a Microsoft patch was absolutely mandatory to keep users secure.

Without such a patch, users remain vulnerable for one more month, and the existing workaround involves blocking outbound SMB connections (TCP ports 139 and 445, along with UDP ports 137 and 138) from the local network to the WAN.

Google Goes Public with Unpatched Windows Vulnerability, Users Again Exposed

Windows users are once again exposed to attacks, as a Google Project Zero engineer has disclosed an unpatched vulnerability in the operating system.

Google Project Zero member Mateusz Jurczyk discovered a vulnerability in gdi32.dll which allows attackers to compromise Windows systems, and according to his blog post, this flaw was first reported to the software giant in March 2016.

Microsoft acknowledged the vulnerability and attempted to patch it with MS16-074 released in June 2016, but as Jurczyk puts it, only part of the problem was actually fixed.

“We've discovered that not all of the DIB-related problems are gone,” he said. “As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” he explains for the more tech-savvy users.
"Microsoft patch not fixing the issue"

Jurczyk reached out to Microsoft once again to report the vulnerability on November 16, 2016, but given the fact that the company didn’t release a new patch, he decided to make it public as per the Google Project Zero disclosure policy. As part of this program, vendors have 90 days to fix security issues after the first notification is submitted, and should they fail to patch them, details are then made public.

Microsoft hasn’t yet commented on this new disclosure, but the company’s next patching takes place on March 14, as this month’s Patch Tuesday rollout has already been delayed. This means that users remain vulnerable to attacks at least until next month, if a fix for this vulnerability is indeed included in the patching cycle. It’s not known if a patch for this bug was included in the February 2017 Patch Tuesday.

On the good side, exploiting this security flaw involves deploying a specially crafted EMF file on a vulnerable machine and this can only be done with direct access to the computer. It goes without saying that users should stay away from such files coming from sources they cannot trust at least until a patch is delivered.
"Previous Windows vulnerability disclosures"

This isn’t the first time Google goes public with an unpatched security flaw, as a similar disclosure took place in November 2016, when the company published details of a Windows security flaw allowing cybercriminals to gain administrator privileges on vulnerable systems.

At that time, Microsoft criticized Google for disclosing the security bug, explaining that the search giant put all windows users “at increased risk.”

“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Windows boss Terry Myerson said at that point.

We’ve reached out to Microsoft to ask for more information on this new bug and we’ll update the article when an answer is provided.

Google has published the details of another unpatched Windows security flaw, as per the company’s Project Zero program policy that discloses vulnerabilities still not fixed 90 days after the vendor is notified.

This time, the vulnerability is a type confusion in a module in Microsoft Edge and Internet Explorer, with Google engineer Ivan Fratric publishing a proof of concept that can crash the browsers, opening the door for potential attackers to gain administrator privileges on the affected systems.

Fratric says he made the analysis on the 64-bit version of Internet Explorer on Windows Server 2012 R2, but both 32-bit Internet Explorer 11 and Microsoft Edge should be affected by the same vulnerability. This means that Windows 7, Windows 8.1, and Windows 10 users are all exposed.

The vulnerability was reported on November 25, and according to Google Project Zero’s policy, it went public on February 25, as Microsoft is yet to deliver a patch.

Interestingly, Microsoft has already delayed this month’s Patch Tuesday cycle and is now planning to release security updates on March 14, but it’s not yet known if the company actually included a patch for this vulnerability discovered by Google in this month’s rollout or not.
"Second public disclosure this month"

This is the second security flaw disclosed by Google in just a couple of weeks, as the search company also published the details of a vulnerability in gdi32.dll that was first reported to Microsoft in March 2016.

Google Project Zero member Mateusz Jurczyk says Microsoft attempted to patch the flaw in June 2016, but the problem was only partially resolved, so another report was submitted to the firm in November 2016. Again, after the 3-month window expired, Jurczyk published details online.

This brings us to two different security vulnerabilities that are yet to be patched by Microsoft and whose details were posted online by Google, and it’s hard to believe that Redmond would turn to out-of-band fixes to address them before the March 14 rollout.

In the meantime, in order to remain protected against this new flaw, users are recommended to avoid clicking on websites they do not trust and to replace Internet Explorer and Microsoft Edge with a different browser if possible.